Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft

Microsoft Criticized For Removing Exchange Exploit From GitHub (inside.com) 40

"Microsoft-owned GitHub has removed a proof-of-concept (PoC) exploit for critical ProxyLogon bugs in Microsoft Exchange, causing a backlash from security researchers," reports Inside.com's Developer newsletter: The exploit has recently led to infections of as many as 100,000 servers. Microsoft rushed out patches last week for the vulnerabilities in response to a number of Chinese groups exploiting the bugs.

"This is huge, removing a security researcher's code from GitHub against their own product and which has already been patched. This is not good," Dave Kennedy, founder of TrustedSec, tweeted.

"It's unfortunate that there's no way to share research and tools with professionals without also sharing them with attackers, but many people (like me) believe the benefits outweigh the risks," tweeted Tavis Ormandy, a member of Google's Project Zero.

This discussion has been archived. No new comments can be posted.

Microsoft Criticized For Removing Exchange Exploit From GitHub

Comments Filter:
  • by bjoast ( 1310293 ) on Saturday March 13, 2021 @01:16PM (#61154390)
    Instead of crying about what a private corporation decides to do, how about stop relying on centralized services for all your important needs?
  • but many people (like me) believe the benefits outweigh the risks

    So what you're saying is that your "belief" should be taken as gospel and every other individual or business that doesn't share that belief is wrong ?

    Typical fucking security "researcher" nerd arrogance. Fuck you.

    • The article immediately before this one is about how that same exchange server is experiencing "escalated attacks."

    • As it happens, I disagree with them.
      We CAN share information in ways that it's pretty available to the appropriate people, the white hats, but not readily available to all the script kiddies. We actually do that regularly.

      That said, no they did NOT say their opinion is gospel and everyone else is wrong. They stated their belief based in their relevant experience.

      You responded to that with a straw man attack that's neither true not particularly relevant to the issue being discussed. Probably because you d

    • Fuck you.

      You know, I think I may have pinpointed why he is a trusted expert who gets quoted in major articles because people actually value his opinion, and you are, well... you.

      • I love to cuss up a storm, and I have been offered the chance to write a recurring column for a Linux magazine. If I had taken it (I was too busy with life stuff at the time) I would have simply not cussed in the articles.

        Profanity is not the career-ender you imagine it to be

  • I know it's fun to be upset at Microsoft, but I think this is the right call. This attack is in the wild, plenty of servers that still need to be patched, and posting this (what was posted was a non-working proof of concept that probably could be gotten to a working one with other available information) in a wide open place like github was not a good idea. To me it's the same as selling something that's not a gun that's missing one part that can be bough somewhere else that's easy to find.

    Surly if the fol

    • by Tom ( 822 )

      This attack is in the wild, plenty of servers that still need to be patched,

      You really think there are many bad guys out there who don't have the exploit already? Ah... what I would give to live in your world of naive comfort...

      • Better than living in your world where we just give up even trying.

        • As my grandfather used to say: "There are no high fences, only lazy burglars".

          Removing the exploit from GitHub erects a very, very low fence.

        • by Tom ( 822 ) on Sunday March 14, 2021 @01:02AM (#61156090) Homepage Journal

          Give up? Boy, I spend every hour of every working day and way too much of my spare time thinking about and working on improving IT security and I've done that for 20+ years.

          Closing the barn door after the horse has not only left but has already been seen in the neighbouring village is bullshit. I'm not surprised that the epicenter of incompetence has done it, flailing around as they are whenever a big thing hits, as they've always done.

          But everyone knows that shooting at where the enemy is now only wastes ammo. You need to shoot at where the enemy will be when your bullet gets there. And right now, the enemy is not trying to figure out the exploit, the enemy is compromising servers by the thousands. The enemy already has the exploit, has already weaponized it, has already deployed it in large-scale attacks and is already using it as a delivery system for further attacks. The enemy is four steps ahead of figuring out the exploit, but hey, let's pull some code off the Internet because that will do... what, exactly?

          (don't bullshit me with it will prevent script kiddies to join the currently ongoing attacks. If you're worried about script kiddies in this, we need to have a serious discussion about why your threat model and risk analysis suck so badly.)

    • The reason for it to be in GitHub isn't for the bad people, they already have it. It's more useful for the good people to be able to prove if they themselves are vulnerable and to confirm they are no longer vulnerable after patching.
  • told you so... (Score:4, Insightful)

    by Tom ( 822 ) on Saturday March 13, 2021 @03:42PM (#61154818) Homepage Journal

    Is it already time to pull out the "told you so" from back when the evil empire acquired Github?

    If you haven't moved your code off Github unto some other service yet, now's the time.

    • Is it already time to pull out the "told you so" from back when the evil empire acquired Github?

      You told everyone that MS would not change the existing github policies when it acquired them? It’s against Github’s ToS so why would you expect that they wouldn’t do this?

      • by Tom ( 822 )

        Nope, just told everyone that Github can no longer be trusted.

        When you live in, say, Turkey, and Erdogan just put his son in charge of the bank that holds your family heirlooms in their vault, any smart person would move those to a different bank, not wait until the '"shit, I should've done it" moment.

        This is MS protecting themselves because they own the place. If it were the same thing but about a competing product, I'm quite sure it would be removed... a little less promptly.

        But hey, don't believe me. I'v

        • This is MS protecting themselves because they own the place.

          I'm not sure how this has anything to do with Microsoft, this was Github policy before the Microsoft acquisition.

    • It was time at the time.

      I removed my repos from github as soon as the announcement was made.

      • by Tom ( 822 )

        So did I.

        Surprisingly though, github is still the main player and only a small number of projects moved off it.

  • Hosting exploits at GitHub in a public repo is a TOS violation.

    So, what's the big deal? GitHub is owned by a corporation. They have rights. Their rights to their property exceed your rights to use their property except as defined within the TOS which they also have the right to re-write at any time without grandfathering in anything.

    It's theirs.

    Just like Twitter and other social media has the absolute right to ban, shadow ban, purge, or whatever they want to whomever they want on their servers, so does M

    • Nobody has argued that Microsoft has no right to take down repositories. Please, name the person who has.

      We're arguing that they shouldn't.

  • Let's take a look at the parallel universe right next door on year in the future. On it's /. we see the headlines "Microsoft sued for not removing Exchange Exploit from GitHub, allowing development of 'Knock-Knock' worm that crashed the Internet for three weeks just two months ago."

    Damned if you do, damned if you don't.

Utility is when you have one telephone, luxury is when you have two, opulence is when you have three -- and paradise is when you have none. -- Doug Larson

Working...